Multi-Source Anomaly Detection and Automated Dynamic Resolution System

ABSTRACT

Arrangements for detecting anomalies and dynamically generating a response are presented. In some examples, attribute data including a plurality of source elements may be received. The source element data may be received from a plurality of source computing systems. The attribute data, including the source element data, may be analyzed using machine learning techniques to identify any anomalies in the attribute data. If an anomaly is detected, a notification may be generated including data associated with the anomaly, a user associated with the anomaly and the like. The notification may be transmitted to a computing device for display. In some examples, if an anomaly is detected, data associated with the anomaly may be compared to pre-stored rules to determine whether a pre-stored rule applies to the identified anomaly. If a pre-stored rule applies, an instruction or command may be generated and transmitted to one or more source computing devices or systems.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to co-pendingU.S. application Ser. No. 16/600,682, filed Oct. 14, 2019, and entitled,“Multi-Source Anomaly Detection and Automated Dynamic ResolutionSystem,” which is incorporated herein by reference in its entirety.

BACKGROUND

Aspects of the disclosure relate to electrical computers, systems, anddevices for multi-source anomaly detection and resolution. Inparticular, one or more aspects of the disclosure relate to usingmachine learning to detect anomalies in multi-source data anddynamically generate resolution instructions.

Large enterprise organizations can have tens of thousands or evenhundreds of thousands of employees. In many large enterpriseorganizations, employees may have similar roles but work in differentbusiness units, may have different roles but be within a same salarylevel or band, or the like. Accordingly, understanding whether variousattributes of the employees, such as compensation, benefits, and thelike, are being handled similarly or in an appropriate manner can bedifficult when evaluating such a large number of employees. Further,given the number of employees in such large enterprise organizations,unauthorized activity may often go unnoticed for extended periods orforever. Accordingly, it would be advantageous to use machine learningto understand and evaluate attributes associated with employees todetect anomalies and automatically execute dynamic resolutions tocontrol one or more computing systems in order to mitigate impact of adetected anomaly.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure provide effective, efficient, scalable, andconvenient technical solutions that address and overcome the technicalproblems associated with evaluating attributes of vast numbers ofemployees within an enterprise to identify anomalies and quickly andefficiently implement a dynamic response to mitigate impact of theanomaly.

In some examples, attribute data may be received. The attribute data mayinclude data associated with a plurality of source elements. In someexamples, the source element data may be received from a plurality ofsource computing systems or devices. The attribute data, including thesource element data may be analyzed using machine learning techniques toidentify any anomalies in the attribute data. If an anomaly is detected,a notification may be generated including data associated with theanomaly, a user associated with the anomaly and the like. Thenotification may be transmitted to a computing device for display.

In some examples, if an anomaly is detected, data associated with theanomaly, user, or the like, may be compared to pre-stored rules todetermine whether a pre-stored rule applies to the identified anomaly,user, or the like. If a pre-stored rule applies, an instruction orcommand may be generated and transmitted to one or more source computingdevices or systems. In some examples, the instruction or command maylimit access to one or more systems or applications, preventdistribution from one or more systems or applications by an identifieduser, and the like.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIGS. 1A and 1B depict an illustrative computing environment forimplementing multi-source anomaly detection in accordance with one ormore aspects described herein;

FIGS. 2A-2F depict an illustrative event sequence for implementingmulti-source anomaly detection in accordance with one or more aspectsdescribed herein;

FIG. 3 depicts an illustrative method for implementing and usingmulti-source anomaly detection according to one or more aspectsdescribed herein;

FIG. 4 illustrates one example operating user interface that may begenerated in accordance with one or more aspects described herein;

FIG. 5 illustrates one example environment in which various aspects ofthe disclosure may be implemented in accordance with one or more aspectsdescribed herein; and

FIG. 6 depicts an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more aspectsdescribed herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

As discussed above, large enterprise organizations may have tens or evenhundreds of thousands of employees to manage, monitor, and the like.When evaluating issues or attributes such as compensation, benefits, andthe like, it can be difficult to accurately compare employees in similarroles but different business units, different roles but at the samesalary level, or the like. Further, it can be difficult to monitorattributes to detect unauthorized activity, such as a deliberateoverpayment of an expense reimbursement, a repeated higher than deservedbonus, or the like. Accordingly, aspects described herein are directedto using machine learning techniques to evaluate attributes associatedwith a plurality of employees to identify variances or anomalies in theattributes.

As discussed herein, attribute data and associated source element datamay be received. In some examples, the attribute data including sourceelement data may be received from a plurality of source elementcomputing systems. The data may be analyzed using machine learning todetect anomalies or variances in the data. If an anomaly is detected, insome examples, a notification may be generated including data related tothe anomaly, a user associated with the anomaly, and the like. Thenotification may be transmitted to a computing device for display.

In some arrangements, the data associated with the anomaly, user, or thelike, may be compared to one or more pre-stored rules related to varioustypes of anomalies and actions to mitigate impact of an anomaly. If thedata matches or otherwise corresponds to a pre-stored rule (e.g., fallswithin parameters or criteria of the pre-stored rule), an instruction orcommand may be generated and transmitted to one or more of the sourceelement computing systems. In some examples, the instruction or command,when executed, may cause the source element computing system to restrictaccess to the system or one or more applications (e.g., for a particularuser or users), prevent disbursement of funds to a particular user or bya particular user, and the like.

These and various other arrangements will be discussed more fully below.

FIGS. 1A-1B depict an illustrative computing environment forimplementing and using a system for multi-source anomaly detection andprocessing in accordance with one or more aspects described herein.Referring to FIG. 1A, computing environment 100 may include one or morecomputing devices and/or other computing systems. For example, computingenvironment 100 may include multi-source anomaly detection computingplatform 110, a source computing system 120, a source computing system125, a first local user computing device 150, a second local usercomputing device 155, a first remote user computing device 170, and asecond remote user computing device 175. Although two source computingsystems 120, 125 are shown in FIG. 1A, more or fewer computing systemsmay be used without departing from the invention. Further, although themulti-source anomaly detection computing platform 110, source computingsystem 120, and source computing system 125 are described as separatedevices in some aspects, the multi-source anomaly detection computingplatform 110 may be integrated into (e.g., within a same physicaldevice, in communication with or connected to, or the like) sourcecomputing system 120 and/or source computing system 125, withoutdeparting from the invention.

Multi-source anomaly detection computing platform 110 may be configuredto provide intelligent, dynamic, detection of anomalies in data receivedfrom a plurality of sources using, for example, machine learning. Forinstance, historical data may be received and used as machine learningtraining data in order to evaluate subsequent data from the plurality ofsources to detect one or more anomalies. For instance, data may bereceived from a plurality of sources, such as source computing system120, source computing system 125, and the like. Each source computingsystem 120, 125 may be a separate system or may be integrated withinanother source computing system. In some examples, each source computingsystem 120, 125 may capture, process, store, and the like, a differentsource element (e.g., different data format, data type, or the like)associated with an attribute being evaluated. For instance, themulti-source anomaly detection computing platform 110 may be used toidentify anomalies in an attribute such as compensation at, forinstance, large enterprise organizations. Compensation may include aplurality of source elements, such as salary, hourly pay, bonuses,deferred compensation, expense reimbursement, and the like. In somearrangements, each source element or type of compensation input may bereceived from a different source computing system. In other examples,one or more types of data may be received from a same source computingsystem.

In some examples, receiving the source elements may include receivingdata associated with each source element. For instance, salary data fora plurality of employees may be received. Each salary data element maybe associated with an employee and may include a name, employee numberor other unique identifier of the employee, as well as a compensationband or level, role of the employee, business unit of the employee, andthe like. Accordingly, source elements for each attribute may beevaluated, e.g., using machine learning, to compare source elementsacross a same role within an organization, at a same or similar salaryband or level, within a group or business unit, or the like.Accordingly, anomalies in data may be detected more quickly,efficiently, and accurately because vast amounts of data are beingcompared across different working groups, business units, roles, and thelike, to provide a clear picture of the attribute throughout theorganization. Anomalies may include overpayment, underpayment,unauthorized payment, and the like.

Source computing system 120, source computing system 125, and the like,may be a computing device or plurality of devices suitable for hostingand/or executing one or more applications configured to receive sourceelement data, process source element data, generate source elementoutputs, and the like. For instance, source computing system 120, sourcecomputing system 125, and the like, may include one or more computingdevices hosting and/or executing applications configured to store userinformation (e.g., information related to employees of an enterprise),receive and process payroll for an enterprise, receive and processexpense account reimbursements, receive and process bonuses or deferredcompensation, or the like.

Local user computing device 150, 155 and remote user computing device170, 175 may be configured to communicate with and/or connect to one ormore computing devices or systems shown in FIG. 1A. For instance, localuser computing device 150, 155 may communicate with one or morecomputing systems or devices via network 190, while remote usercomputing device 170, 175 may communicate with one or more computingsystems or devices via network 195. In some examples, local usercomputing device 150, 155 may be used to access the multi-source anomalydetection computing platform 110, source computing system 120, sourcecomputing system 125, or the like to control parameters associated withthe devices or systems, update or execute rules, modify settings and thelike. In some examples, local user computing device 150, local usercomputing device 155, and the like may receive and display notificationsof detected anomalies and/or may execute predetermined rules in responseto detection of an anomaly.

The remote user computing device 170 and remote user computing device175 may be used to communicate with, for example, one or more systems,computing platforms, devices, or the like, to receive and display one ormore notifications related to an anomaly, receive and display an outputof one or more executed rules executed in response to detection of ananomaly, or the like. Remote user computing devices 170, 175 may includeuser computing devices, such as mobile devices including smartphones,tablets, laptop computers, and the like, and/or desktop or othercomputing devices.

Computing environment 100 also may include one or more computingplatforms. For example, and as noted above, computing environment 100may include multi-source anomaly detection computing platform 110. Asillustrated in greater detail below, multi-source anomaly detectioncomputing platform 110 may include one or more computing devicesconfigured to perform one or more of the functions described herein. Forexample, multi-source anomaly detection computing platform 110 mayinclude one or more computers (e.g., laptop computers, desktopcomputers, servers, server blades, or the like).

As mentioned above, computing environment 100 also may include one ormore networks, which may interconnect one or more of multi-sourceanomaly detection computing platform 110, source computing system 120,source computing system 125, local user computing device 150, local usercomputing device 155, remote user computing device 170, and/or remoteuser computing device 175. For example, computing environment 100 mayinclude private network 190 and public network 195. Private network 190and/or public network 195 may include one or more sub-networks (e.g.,Local Area Networks (LANs), Wide Area Networks (WANs), or the like).Private network 190 may be associated with a particular organization(e.g., a corporation, financial institution, educational institution,governmental institution, or the like) and may interconnect one or morecomputing devices associated with the organization. For example,multi-source anomaly detection computing platform 110, source computingsystem 120, source computing system 125, local user computing device150, and local user computing device 155, may be associated with anorganization (e.g., a financial institution), and private network 190may be associated with and/or operated by the organization, and mayinclude one or more networks (e.g., LANs, WANs, virtual private networks(VPNs), or the like) that interconnect multi-source anomaly detectioncomputing platform 110, source computing system 120, source computingsystem 125, local user computing device 150, local user computing device155, and one or more other computing devices and/or computer systemsthat are used by, operated by, and/or otherwise associated with theorganization. Public network 195 may connect private network 190 and/orone or more computing devices connected thereto (e.g., multi-sourceanomaly detection computing platform 110, source computing system 120,source computing system 125, local user computing device 150, local usercomputing device 155) with one or more networks and/or computing devicesthat are not associated with the organization. For example, remote usercomputing device 170, remote user computing device 175, might not beassociated with an organization that operates private network 190 (e.g.,because remote user computing device 170, remote user computing device175, may be owned, operated, and/or serviced by one or more entitiesdifferent from the organization that operates private network 190, suchas a second entity different from the entity, one or more customers ofthe organization, one or more employees of the organization, public orgovernment entities, and/or vendors of the organization, rather thanbeing owned and/or operated by the organization itself), and publicnetwork 195 may include one or more networks (e.g., the internet) thatconnect remote user computing device 170, remote user computing device175, to private network 190 and/or one or more computing devicesconnected thereto (e.g., multi-source anomaly detection computingplatform 110, source computing system 120, source computing system 125,local user computing device 150, local user computing device 155).

Referring to FIG. 1B, multi-source anomaly detection computing platform110 may include one or more processors 111, memory 112, andcommunication interface 113. A data bus may interconnect processor(s)111, memory 112, and communication interface 113. Communicationinterface 113 may be a network interface configured to supportcommunication between multi-source anomaly detection computing platform110 and one or more networks (e.g., private network 190, public network195, or the like). Memory 112 may include one or more program moduleshaving instructions that when executed by processor(s) 111 causemulti-source anomaly detection computing platform 110 to perform one ormore functions described herein and/or one or more databases that maystore and/or otherwise maintain information which may be used by suchprogram modules and/or processor(s) 111. In some instances, the one ormore program modules and/or databases may be stored by and/or maintainedin different memory units of multi-source anomaly detection computingplatform 110 and/or by different computing devices that may form and/orotherwise make up multi-source anomaly detection computing platform 110.

For example, memory 112 may have, store and/or include a registrationmodule 112 a. Registration module may store instructions and/or datathat may cause or enable the multi-source anomaly detection computingplatform 110 to receive data related to one or more source elementssystems, such as source computing system 120, source computing system125, and the like. The data may include system identifiers, types ofdata stored or processed by a particular system, and the like. Further,receipt of the registration data may cause generation of one or moreinstructions or commands to transmit source element data from the sourcecomputing system(s) to multi-source anomaly detection computing platform110. For instance, data may be transmitted in real-time as it isprocessed, in a batch process at a predetermined date or time, as abatch process after expiration of a time period (e.g., even 24 hours,every week, or the like), and the like. The generated instruction orcommand may be transmitted from the multi-source anomaly detectioncomputing platform 110 to one or more source element systems, such assource computing system 120, source computing system 125, and the like.

Multi-source anomaly detection computing platform 110 may further have,store and/or include a source element processing module 112 b. Sourceelement processing module 112 b may store instructions and/or data thatmay cause or enable the multi-source anomaly detection computingplatform 110 to receive data from one or more sources, such as sourcecomputing system 120, source computing system 125, and the like. Thesource data may include source elements associated with differentattributes, different users, and the like. For instance, the source datamay include data associated with a compensation attributes and mayinclude source elements such as annual compensation, rate of pay,expense reimbursement, bonus, and the like, for a plurality of employeesat an enterprise. The plurality of employees may include employees indifferent business units, having a same or similar role, havingdifferent roles, having a same or similar level or band, having adifferent level or band, and the like. Data associated with eachemployee may be received by the multi-source anomaly detection computingplatform 110 and processed using, for instance, machine learning.

For example, the multi-source anomaly detection computing platform 110may have, store and/or include a machine learning engine 112 c andmachine learning datasets 112 d. Machine learning engine 112 c andmachine learning datasets 112 d may store instructions and/or data thatmay cause or enable multi-source anomaly detection computing platform110 to receive attribute data, including a plurality of source elements,and analyze the data to identify any anomalies in the data. In someexamples, the anomalies may include inadvertent errors made.Additionally or alternatively, the anomalies may include unauthorizedactivity.

Machine learning engine 112 c may identify patterns in the attributedata to identify anomalies. The machine learning datasets 112 d may begenerated based on previously analyzed data (e.g., data from previouslyreceived data, historical data, and the like), raw data, and/or receivedfrom one or more outside sources.

The machine learning engine 112 c may receive data related toattributes, source elements, and the like, and, using one or moremachine learning algorithms, may generate and/or update or validate oneor more machine learning datasets 112 d. Various machine learningalgorithms may be used without departing from the invention, such assupervised learning algorithms, unsupervised learning algorithms,regression algorithms (e.g., linear regression, logistic regression, andthe like), instance based algorithms (e.g., learning vectorquantization, locally weighted learning, and the like), regularizationalgorithms (e.g., ridge regression, least-angle regression, and thelike), decision tree algorithms, Bayesian algorithms, clusteringalgorithms, artificial neural network algorithms, and the like.Additional or alternative machine learning algorithms may be usedwithout departing from the invention. In some examples, the machinelearning engine 112 c may analyze data to identify patterns of activity,sequences of activity, and the like, to generate one or more machinelearning datasets 112 d.

Based on the generated machine learning datasets 112 d, anomalydetection module 112 e may identify one or more anomalies or variancesin attribute data. For instance, in examples in which the attributebeing analyzed is compensation, source elements related to salary,hourly wage, reimbursement, bonus, and the like, may be received andanalyzed, by the anomaly detection module 112 e, using machine learning.The outcome of the analysis may be input into other modules of themulti-source anomaly detection computing platform 110 for furtherprocessing or action.

For instance, multi-source anomaly detection computing platform 110 mayfurther have, store and/or include a notification generation module 112f. Notification generation module 112 f may store instructions and/ordata that may cause or enable the multi-source anomaly detectioncomputing platform 110 to generate one or more notifications,interactive user interfaces, or the like, based on the output of theanomaly detection module 112 e. For instance, if an anomaly is detected,a notification or interactive user interface may be generated by thenotification generation module 112 f. The notification or interactiveuser interface may include information related to the anomaly orvariance, such as type of anomaly (overpayment, underpayment, or thelike), user associated with the anomaly, role of user associated withthe anomaly, supervisor of user associated with an anomaly, and thelike. In some examples, the data presented in the notification orinteractive user interface might not include actual values associatedwith the attribute or source elements. For instance, actualcompensation, bonus, or the like, associated with the user of theidentified anomaly might not be displayed or provided, therebymaintaining privacy of the user. Further, omitting the actual valuesassociated with the attributes and source elements may reduce processingrequired, computer storage required, and the like. In some examples, thenotification or interactive user interface may include a selectableoption to receive the raw data (e.g., compensation values) associatedwith the attribute and source elements for which the anomaly wasdetected. In some examples, requesting the raw data may requireauthorization from second user, supervisor, or the like, in order tomaintain privacy.

The generated notification or interactive user interface may betransmitted to one or more user computing devices, such as local usercomputing device 150, local user computing device 155, remote usercomputing device 170, or remote user computing device 175. Thenotification or interactive user interface may be displayed on thedevice.

In some examples, data associated with the detection of an anomaly maybe input into a rules execution module 112 g. The rules execution module112 g may store instructions and/or data that may cause or enable themulti-source anomaly detection computing platform 110 to compare theoutput of the anomaly detection module 112 e to pre-stored rulesassociated with mitigating actions to take with respect to variousanomalies. Based on the comparing, one or more instructions or commandsmay be generated and transmitted to a source element device, such assource computing system 120, source computing system 125, or the like,for execution. For instance, if the anomaly detection module 112 eidentifies a particular group of users having an overpayment in a bonusand each user has a same supervisor, a pre-stored rule may be identifiedcausing generation of an instruction or command to prevent thesupervisor from assigning bonus values until an authorized userinvestigates the anomaly and clears it. The instruction or command maybe transmitted to a computing system associated with bonuses (e.g.,source computing system 120, source computing system 125, or the like)and may be executed to prevent the supervisor from distributing anyadditional bonus funds until the matter is investigated.

FIGS. 2A-2F depict one example illustrative event sequence forimplementing and using multi-source anomaly detection in accordance withone or more aspects described herein. The events shown in theillustrative event sequence are merely one example sequence andadditional events may be added, or events may be omitted, withoutdeparting from the invention.

Referring to FIG. 2A, at step 201, one or more attributes for analysisand source elements associated with an attribute may be identified. Forinstance, compensation may be an attribute being evaluated and sourceelements, such as salary, bonus, deferred compensation, expense accountreimbursement, and the like, associated with the compensation attributemay be identified. In another example, benefits costs may be theattribute being identified and source elements associated with benefitcosts, such as healthcare, retirement plan, life insurance, disabilityinsurance, and the like, may be identified. In some examples, eachsource element may be processed, stored, or the like, at a differentsource element computing system, such as source computing system 120,source computing system 125, or the like. Additionally or alternatively,two or more source elements may be processed, stored, or the like, by asame source element computing system, such as source computing system120, source computing system 125, or the like.

After identifying the attribute being analyzed as well as associatedsource elements, the local user computing device 150 may generateregistration data at step 202. Registration data may include identifiersassociated with each source element system from which data will bereceived and analyzed (e.g., source computing system 120, sourcecomputing system 125, or the like), type of data to be transmitted fromthe source computing systems, amount of data to be transmitted, and thelike.

At step 203, a connection may be established between the local usercomputing device 150 and the multi-source anomaly detection computingplatform 110. For instance, a first wireless connection may beestablished between the multi-source anomaly detection computingplatform 110 and local user computing device 150. Upon establishing thefirst wireless connection, a communication session may be initiatedbetween multi-source anomaly detection computing platform 110 and localuser computing device 150.

At step 204, the generated registration data may be transmitted from thelocal user computing device 150 to the multi-source anomaly detectioncomputing platform 110. For instance, the generated registration datamay be transmitted during the communication session initiated uponestablishing the first wireless connection.

At step 205, the registration data may be received by the multi-sourceanomaly detection computing platform 110. Responsive to receiving theregistration data, one or more anomaly detection functions may beinitiated and/or activated at step 206. For instance, one or moreprocesses or functions that was previously disabled or deactivated maybe enabled or activated in response to receiving the registration data.

With reference to FIG. 2B, at step 207, instructions for datatransmission may be generated. For instance, based on the registrationdata, instructions for type of data, frequency of transmission, and thelike, may be generated for each source element data system, such assource computing system 120, source computing system 125, and the like.In some examples, data may be transmitted in real-time or near real-timeas it is generated (e.g., as payroll is processed, data may betransmitted in real-time or near real-time to the multi-source anomalydetection computing platform 110). In another example, if bonuses aredistributed on the second Wednesday of December, then that data may betransmitted in a batch process on that date. Various other frequenciesfor transmission of data may be used without departing from theinvention.

After generating the instruction(s) for data transmission, theinstructions may be transmitted to each source element data system, suchas a source computing system 120, source computing system 125, and thelike. Accordingly, at step 208, a connection may be established betweenmulti-source anomaly detection computing platform 110 and sourcecomputing system 120. For instance, a second wireless connection may beestablished between the multi-source anomaly detection computingplatform 110 and source computing system 120. Upon establishing thesecond wireless connection, a communication session may be initiatedbetween multi-source anomaly detection computing platform 110 and sourcecomputing system 120.

At step 209, the instruction generated for transmission of sourceelement data from source computing system 120 may be transmitted fromthe multi-source anomaly detection computing platform 110 to the sourcecomputing system 120. For instance, the instruction may be transmittedduring the communication session initiated upon establishing the secondwireless connection.

At step 210, the instruction may be received by the source computingsystem 120 and executed by the system to retrieve and transmitidentified data at the identified frequency.

At step 211, a connection may be established between multi-sourceanomaly detection computing platform 110 and source computing system125. For instance, a third wireless connection may be establishedbetween the multi-source anomaly detection computing platform 110 andsource computing system 125. Upon establishing the third wirelessconnection, a communication session may be initiated betweenmulti-source anomaly detection computing platform 110 and sourcecomputing system 125.

At step 212, the instruction generated for transmission of sourceelement data from source computing system 125 may be transmitted fromthe multi-source anomaly detection computing platform 110 to the sourcecomputing system 125. For instance, the instruction may be transmittedduring the communication session initiated upon establishing the thirdwireless connection.

With reference to FIG. 2C, at step 213, the instruction may be receivedby the source computing system 125 and executed by the system toretrieve and transmit identified data at the identified frequency.

At step 214, source element response data may be retrieved fortransmission to the multi-source anomaly detection computing platform110. For instance, at the frequency, date and time, or the like,identified in the instruction from the multi-source anomaly detectioncomputing platform 110 the identified data may be retrieved, responsedata may be generated and, at step 215, the source element response datamay be transmitted from the source computing system 120 to multi-sourceanomaly detection computing platform 110.

At step 216, the source element response data may be received by themulti-source anomaly detection computing platform 110.

At step 217, source element response data may be retrieved fortransmission to the multi-source anomaly detection computing platform110. For instance, at the frequency, date and time, or the like,identified in the instruction from the multi-source anomaly detectioncomputing platform 110 the identified source element data may beretrieved, source element response data may be generated and, at step218, source element response data may be transmitted from the sourcecomputing system 125 to multi-source anomaly detection computingplatform 110.

With reference to FIG. 2D, at step 219, the source element response datamay be received by the multi-source anomaly detection computing platform110.

In some examples, the source element data received from source computingsystem 120 may be different (e.g., different type of data, differentsource element, different attribute, or the like) from the sourceelement data received from source computing system 125.

In some examples, the source element response data may be mapped as itis received by the multi-source anomaly detection computing platform110. For instance, source element data received may be mapped to asingle table with each person having entries for salary, bonus, expensereimbursement, and the like, as well as employment details such as team,group or business unit, salary band or level, role within theorganization, and the like.

At step 220, the received source element response data may be analyzingusing, for instance, machine learning. For example, the source elementresponse data from one or more or all source element computer systems,such as source computing system 120, source computing system 125, andthe like, may be analyzed to identify patterns, sequences, and the like,as well as any outliers from the identified patterns, sequences, and thelike.

Based on the analysis, at step 221, an anomaly or variance in the sourceelement data may be detected. As discussed herein, the anomaly mayinclude an inadvertent error and/or an unauthorized action.

At step 222, data associated with the detected anomaly or variance maybe extracted. For instance, a user associated with the anomaly, role ofthe user associated with the anomaly, supervisor of the user associatedwith the anomaly, amount of the anomaly, frequency of the anomaly (e.g.,if the anomaly occurred more than once), and the like, may be extractedfrom the data. In some examples, actual values associated with thesource element data may be omitted or obscured to maintain privacy ofthe user. For instance, if compensation is the attribute being evaluatedand an anomaly is detected for a user, the actual values of the user'scompensation may be removed from the data, obscured or otherwise omittedin order to prevent distribution of the compensation values. If thecompensation values are going to be used in further investigation, aninvestigating user may request the values or raw data for furtheranalysis.

At step 223, a notification or interactive user interface may begenerated. For instance, based on the extracted data, a notification orinteractive user interface may be generated include a type of anomaly,frequency of anomaly, user(s) involved, and the like.

With reference to FIG. 2E, at step 224, a connection may be establishedbetween multi-source anomaly detection computing platform 110 and localuser computing device 150. For instance, a fourth wireless connectionmay be established between the multi-source anomaly detection computingplatform 110 and local user computing device 150. Upon establishing thefourth wireless connection, a communication session may be initiatedbetween multi-source anomaly detection computing platform 110 and localuser computing device 150.

At step 225, the generated notification may be transmitted from themulti-source anomaly detection computing platform 110 to the local usercomputing device 150. For instance, the generated notification may betransmitted during the communication session initiated upon establishingthe fourth wireless connection.

At step 226, the notification may be received by the local usercomputing device 150 and displayed by a display of the local usercomputing device 150. In some examples, the notification may include aninteractive user interface with options to request additionalinformation, raw data, and the like.

At step 227, the notification data (e.g., type of anomaly, user data,and the like) may be compared to pre-stored rules. For instance, a typeof anomaly may be compared to pre-stored rules related to actions (e g.,mitigating actions) to be implemented (in some examples, automatically)in response to a particular type of anomaly, particular amountassociated with an anomaly, nature of an anomaly, or the like.

Based on the comparison to the pre-stored rules, if a rule applies tothe data associated with this particular anomaly (e.g., from thenotification), one or more instructions or commands may be generated atstep 228. The instruction or command may be executed to mitigate animpact of the detected anomaly. The instruction or command may betransmitted to one or more source element systems, such as sourcecomputing system 120, source computing system 125, or the like, forexecution.

With reference to FIG. 2F, at step 229, a connection may be establishedbetween multi-source anomaly detection computing platform 110 and sourcecomputing system 120. For instance, a fifth wireless connection may beestablished between the multi-source anomaly detection computingplatform 110 and source computing system 120. Upon establishing thefifth wireless connection, a communication session may be initiatedbetween the multi-source anomaly detection computing platform 110 andthe source computing system 120.

At step 230, the generated instruction or command may be transmittedfrom the multi-source anomaly detection computing platform 110 to thesource computing system 120. At step 231, the instruction or command maybe received by source computing system 120 and executed by sourcecomputing system 120.

At step 232, a connection may be established between multi-sourceanomaly detection computing platform 110 and source computing system125. For instance, a sixth wireless connection may be establishedbetween the multi-source anomaly detection computing platform 110 andsource computing system 125. Upon establishing the sixth wirelessconnection, a communication session may be initiated between themulti-source anomaly detection computing platform 110 and the sourcecomputing system 125.

At step 233, the generated instruction or command may be transmittedfrom the multi-source anomaly detection computing platform 110 to thesource computing system 125. At step 234, the instruction or command maybe received by source computing system 125 and executed by sourcecomputing system 125.

The executed instruction or command may cause the source computingsystem to execute processes, functions or actions to mitigate impact ofan anomaly. For instance, the executed instruction or command mayprevent access to one or more systems by one or more users, mayinstitute a requirement for additional authentication or a second userauthentication to access one or more systems or applications, mayprevent a user from dispensing funds for a particular purpose or using aparticular system, or the like.

FIG. 3 is a flow chart illustrating one example method of implementingmulti-source anomaly detection according to one or more aspectsdescribed herein. The processes illustrated in FIG. 3 are merely someexample processes and functions. The steps shown may be performed in theorder shown, in a different order, more steps may be added, or one ormore steps may be omitted, without departing from the invention.

At step 300, historical or machine learning training data may bereceived from one or more sources. The data may include data associatedwith various attributes, as well as a plurality of source elementsassociated with each attribute. Based on the received data, one or moremachine learning datasets may be generated at step 302.

At step 304, first attribute data including corresponding source elementdata may be received. In some examples, the first attribute data may berelated to an attribute such as compensation, benefits, or the like, fora plurality of employees within an enterprise, and the source elementdata may include source elements associated with each attribute, asdiscussed herein.

At step 306, the received first attribute data may be analyzed using,for example, machine learning. For instance, the generated machinelearning datasets may be used to analyze the received first attributedata and associated source element data to determine whether anyanomalies in the data exist. Anomalies may be detected based oncomparison of source elements between users within a group such as abusiness unit, between users having a same role within the enterprise,between users having similar job duties within the enterprise, betweenusers having similar patterns of compensation, or the like. Anomaliesmay be detected based on various other aspects without departing fromthe invention.

At step 308, a determination may be made as to whether an anomaly orvariance has been detected. If not, the process may return to step 304and additional attribute data (e.g., second attribute data) andassociated source element data may be received and analyzed.

If, at step 308, an anomaly or variance is detected, a notification maybe generated at step 310. In some examples, the notification may includedata associated with the anomaly (e.g., type of anomaly, amount ofanomaly, or the like), one or more users associated with the anomaly(e.g., employee and supervisor, or the like), source element associatedwith the anomaly, and the like. In some arrangements, the notificationmight not include raw data or actual values associated with the analyzedsource element data. This information may be requested in order toconduct an investigation but not presented in an initial notification inorder to maintain privacy of a user, reduce computing and storageresources, and the like.

At step 312, the notification may be transmitted to a computing devicefor display. For instance, the notification may be transmitted to anadministrator or other supervisory user for evaluation, next steps,further processing, or the like.

At step 314, the notification data (e.g., data presented innotification) may be compared to pre-stored rules. The pre-stored rulesmay be associated with actions to be implemented in response toparticular types of anomalies, amounts of anomalies, or the like.

At step 316, based on the comparison, if a pre-stored rule applies tothe notification data, an instruction or command may be generated andtransmitted to one or more source element systems from which attributedata including one or more source elements is received. For instance, aninstruction or command to limit accessibility to one or more systems,prevent actions taken within a system or application, or the like, maybe generated and transmitted to one or more source systems, such assource computing system 120, source computing system 125, or the like,for execution.

FIG. 4 illustrates one example interactive user interface displayingnotification data in accordance with one or more aspects describedherein. The interface 400 includes identification of a type of anomaly,user associated with the anomaly and role of the user, as well as asupervisor of the user associated with the anomaly. The data provided ismerely one example of data that may be displayed and more or fewer itemsmay be displayed without departing from the invention.

The user interface 400 further includes a selectable option to reviewraw data associated with the anomaly. As discussed herein, actual valuesassociated with the anomaly might not be displayed with the notificationto reduce computing resources and storage, maintain privacy, and thelike. Accordingly, selection of the option to receive the raw data mayprompt the system to collect the raw data and transmit it in apredetermined format to the user device. In some examples, selection ofthe option to request raw data may cause display of a second userinterface requiring approval from a supervisor or second user toretrieve the raw data.

As discussed herein, aspects described herein are directed to evaluatingattribute data associated with a plurality of users, such as employeesor an organization, large enterprise organization, or the like. Theattribute data may be analyzed using machine learning to identifyanomalies or variances in the data and generate dynamic resolutioninstructions that may be executed, in some examples, automatically, tomitigate impact of an anomaly or variance.

As discussed herein, attribute data may be received from a plurality ofsources. For instance, source element data associated with eachattribute may be received from one or more source element computingdevices or systems. Accordingly, data from multiple sources may beanalyzed in the same process or simultaneously to capture a wholepicture of the attribute in order to detect anomalies.

For instance, in analyzing an attribute such as compensation,compensation values (e.g., source element data) from various sources maybe received and analyzed together. For example, salary, bonus, hourlyrate, expense account reimbursement and associated details, parking,travel, phone costs, and the like, may be evaluated in a process todetect potential anomalies between users, between business units, acrossthe organization, or the like. In some examples, employment informationof the users may be considered in the evaluation to identify anomaliesacross users having different or the same title, job duties, or thelike.

For example, user A in group A may have a similar job to user B in groupB. User A and User B may have similar tenure with the organization.Accordingly, it would be expected that user A and user B would havesimilar compensation levels. However, based on the analysis describedherein, an anomaly may identify that user B is paid considerably morethan user A. This may prompt generation of a notification andinvestigation into why user B is paid so much more. Granular analysisacross all employees within an organization is not possible or efficientusing conventional systems. Accordingly, anomalies might not be detectedif conventional systems are relied upon. The arrangements describedherein may aid in reducing or eliminating human resources risk acrossteams, within teams, and the like, to compensation is as expected forvarious employees.

In another example, unauthorized activity by users may be detected usingthe arrangements discussed herein. For instance, arrangements discussedherein may be used to identify overpayment of reimbursement expenses bya particular supervisor for one or more users, reimbursement of certainexpenses for some users and not others by one or more supervisors orbusiness units or teams (e.g., consistency of what is being reimbursedwithin or between teams), distribution of most promising leads incommission based positions to particular users by a supervisor, and thelike. These and various other unauthorized activities may be detected byanalyzing the attribute data for users across the organization using thearrangements described herein.

As discussed herein, machine learning datasets may be generated usingtraining data or other historical data. This data may be used togenerate baseline values and the datasets may be validated and/orupdated based on subsequent data. The historical data used to train themachine learning techniques or establish the baseline data may includeuser-based data, role-based data, salary band or level-based data, andthe like, across the organization. This data establishes baseline levelsand should not have great variance. For instance, in the example ofexpense reimbursements, there should be relatively little variancebetween users of similar roles, or the like, because everyone should beexpensing similar items, receiving similar reimbursement, and the like.

Accordingly, because machine learning can be used to quickly andefficiently evaluate data across the entire organization, the analysismay trigger notifications based on various anomalies that would likelybe missed in conventional systems.

As also discussed herein, anomalies may be flagged and notifications maybe generated and provided based on the detected anomaly withoutproviding the actual compensation values for a user. For instance,evaluation of data points may be performed with a binary (0, 1) output.If not issue or anomaly is detected, a 0 value may be output. A detectedanomaly may cause output of a 1 which may then trigger alerts,notifications, and the like. This may reduce processing power required,storage required for the outputs, and the like. The notification, asdiscussed herein, may then provide an option to receive the raw data.

In some examples, if an anomaly meets a predetermined threshold, the rawdata (e.g., compensation values for one or more users, or the like) maybe automatically provided in a notification. For instance, if an anomalyindicates at least a threshold variance from a normal or expected value,the raw data, including, for instance, compensation values, may beautomatically provided to the administrative user reviewing theanomalies in order to quickly and efficiently evaluate the anomaly. Insome examples, the threshold and associated parameters may be stored asa pre-stored rule that may be triggered based on data associated withthe anomaly.

In some examples, the raw data provided may include data for the userhaving the anomaly, as well as data for associated users. For instance,if a user within a business unit has substantially higher compensationthan others with similar roles within the business unit, raw data foronly that business unit may be retrieved initially to permit evaluationof the user associated with the anomaly.

In some examples, open source data, such as locality data, and the like,may be considered during evaluation of the attribute data. Accordingly,the system may detect an anomaly in compensation but may then recognizethat the user is located in a high cost of living area and may recognizethat the discrepancy is due to the difference in locality and, thus, isnot an anomaly.

FIG. 5 depicts an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Referring to FIG. 5, computing systemenvironment 500 may be used according to one or more illustrativeembodiments. Computing system environment 500 is only one example of asuitable computing environment and is not intended to suggest anylimitation as to the scope of use or functionality contained in thedisclosure. Computing system environment 500 should not be interpretedas having any dependency or requirement relating to any one orcombination of components shown in illustrative computing systemenvironment 500.

Computing system environment 500 may include multi-source anomalydetection computing device 501 having processor 503 for controllingoverall operation of multi-source anomaly detection computing device 501and its associated components, including Random Access Memory (RAM) 505,Read-Only Memory (ROM) 507, communications module 509, and memory 515.Multi-source anomaly detection computing device 501 may include avariety of computer readable media. Computer readable media may be anyavailable media that may be accessed by multi-source anomaly detectioncomputing device 501, may be non-transitory, and may include volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such ascomputer-readable instructions, object code, data structures, programmodules, or other data. Examples of computer readable media may includeRandom Access Memory (RAM), Read Only Memory (ROM), ElectronicallyErasable Programmable Read-Only Memory (EEPROM), flash memory or othermemory technology, Compact Disk Read-Only Memory (CD-ROM), DigitalVersatile Disk (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium that can be used to store the desired informationand that can be accessed by multi-source anomaly detection computingdevice 501.

Although not required, various aspects described herein may be embodiedas a method, a data transfer system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedembodiments is contemplated. For example, aspects of method stepsdisclosed herein may be executed on a processor on multi-source anomalydetection computing device 501. Such a processor may executecomputer-executable instructions stored on a computer-readable medium.

Software may be stored within memory 515 and/or storage to provideinstructions to processor 503 for enabling multi-source anomalydetection computing device 501 to perform various functions as discussedherein. For example, memory 515 may store software used by multi-sourceanomaly detection computing device 501, such as operating system 517,application programs 519, and associated database 521. Also, some or allof the computer executable instructions for multi-source anomalydetection computing device 501 may be embodied in hardware or firmware.Although not shown, RAM 505 may include one or more applicationsrepresenting the application data stored in RAM 505 while multi-sourceanomaly detection computing device 501 is on and corresponding softwareapplications (e.g., software tasks) are running on multi-source anomalydetection computing device 501.

Communications module 509 may include a microphone, keypad, touchscreen, and/or stylus through which a user of multi-source anomalydetection computing device 501 may provide input, and may also includeone or more of a speaker for providing audio output and a video displaydevice for providing textual, audiovisual and/or graphical output.Computing system environment 500 may also include optical scanners (notshown).

Multi-source anomaly detection computing device 501 may operate in anetworked environment supporting connections to one or more remotecomputing devices, such as computing devices 541 and 551. Computingdevices 541 and 551 may be personal computing devices or servers thatinclude any or all of the elements described above relative tomulti-source anomaly detection computing device 501.

The network connections depicted in FIG. 5 may include Local AreaNetwork (LAN) 525 and Wide Area Network (WAN) 529, as well as othernetworks. When used in a LAN networking environment, multi-sourceanomaly detection computing device 501 may be connected to LAN 525through a network interface or adapter in communications module 509.When used in a WAN networking environment, multi-source anomalydetection computing device 501 may include a modem in communicationsmodule 509 or other means for establishing communications over WAN 529,such as network 531 (e.g., public network, private network, Internet,intranet, and the like). The network connections shown are illustrativeand other means of establishing a communications link between thecomputing devices may be used. Various well-known protocols such asTransmission Control Protocol/Internet Protocol (TCP/IP), Ethernet, FileTransfer Protocol (FTP), Hypertext Transfer Protocol (HTTP) and the likemay be used, and the system can be operated in a client-serverconfiguration to permit a user to retrieve web pages from a web-basedserver.

The disclosure is operational with numerous other computing systemenvironments or configurations. Examples of computing systems,environments, and/or configurations that may be suitable for use withthe disclosed embodiments include, but are not limited to, personalcomputers (PCs), server computers, hand-held or laptop devices, smartphones, multiprocessor systems, microprocessor-based systems, set topboxes, programmable consumer electronics, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and the like that are configured toperform the functions described herein.

FIG. 6 depicts an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more exampleembodiments. Referring to FIG. 6, illustrative system 600 may be usedfor implementing example embodiments according to the presentdisclosure. As illustrated, system 600 may include one or moreworkstation computers 601. Workstation 601 may be, for example, adesktop computer, a smartphone, a wireless device, a tablet computer, alaptop computer, and the like, configured to perform various processesdescribed herein. Workstations 601 may be local or remote, and may beconnected by one of communications links 602 to computer network 603that is linked via communications link 605 to multi-source anomalydetection server 604. In system 600, multi-source anomaly detectionserver 604 may be a server, processor, computer, or data processingdevice, or combination of the same, configured to perform the functionsand/or processes described herein. Server 604 may be used to receivehistorical data, generate machine learning datasets, receive attributedata including source element data, analyze source element data todetect anomalies, generate notifications, generate instructions formitigating actions, and the like.

Computer network 603 may be any suitable computer network including theInternet, an intranet, a Wide-Area Network (WAN), a Local-Area Network(LAN), a wireless network, a Digital Subscriber Line (DSL) network, aframe relay network, an Asynchronous Transfer Mode network, a VirtualPrivate Network (VPN), or any combination of any of the same.Communications links 602 and 605 may be communications links suitablefor communicating between workstations 601 and multi-source anomalydetection server 604, such as network links, dial-up links, wirelesslinks, hard-wired links, as well as network types developed in thefuture, and the like.

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices to performthe operations described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by one or more processors in a computer or otherdata processing device. The computer-executable instructions may bestored as computer-readable instructions on a computer-readable mediumsuch as a hard disk, optical disk, removable storage media, solid-statememory, RAM, and the like. The functionality of the program modules maybe combined or distributed as desired in various embodiments. Inaddition, the functionality may be embodied in whole or in part infirmware or hardware equivalents, such as integrated circuits,Application-Specific Integrated Circuits (ASICs), Field ProgrammableGate Arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope of computerexecutable instructions and computer-usable data described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,one or more steps described with respect to one figure may be used incombination with one or more steps described with respect to anotherfigure, and/or one or more depicted steps may be optional in accordancewith aspects of the disclosure.

What is claimed is:
 1. A computing platform, comprising: at least oneprocessor; a communication interface communicatively coupled to the atleast one processor; and a memory storing computer-readable instructionsthat, when executed by the at least one processor, cause the computingplatform to: receive first attribute data and a plurality of associatedsource elements for a plurality of users; analyze the first attributedata using machine learning datasets; based on the analysis of the firstattribute data, determine whether an anomaly is present in the firstattribute data; responsive determining that an anomaly is present in thefirst attribute data: generate a notification including data associatedwith the anomaly and data associated with a first user associated withthe anomaly; transmit the notification to a computing device of a seconduser different from the first user; compare the data associated with theanomaly and the data associated with the first user to pre-stored rules;generate, based on the comparing, an instruction modifying access to oneor more systems from which the plurality of associated source elementsis received, wherein the generated instruction modifying access to theone or more systems from which the plurality of associated sourceelements is received includes an instruction preventing disbursement offunds to the first user; transmit the generated instruction modifyingaccess to the one or more systems from which the plurality of associatedsource elements is received to the one or more systems, from which theplurality of associated source elements is received, for execution; andresponsive to determining that an anomaly is not present in the firstattribute data, receive and analyze additional attribute data.
 2. Thecomputing platform of claim 1, further including instructions that, whenexecuted, cause the computing platform to: receive historical datarelated to a plurality of attributes, each attribute associated with auser and each attribute including a plurality of source elements; andgenerate, based on the received historical data, a plurality of machinelearning datasets for analyzing attribute data.
 3. The computingplatform of claim 1, wherein the second user is a supervisor of thefirst user.
 4. The computing platform of claim 1, wherein the generatednotification does not include raw data including values associated withthe plurality of associated source elements associated with the firstattribute data.
 5. The computing platform of claim 4, wherein thegenerated notification includes a selectable option to receive the rawdata.
 6. The computing platform of claim 5, further includinginstructions that, when executed, cause the computing platform to:receive selection of the selectable option to receive the raw data;responsive to receiving the selection of the selectable option toreceive the raw data, collect the raw data; and transmit the collectedraw data to the computing device of the second user in a pre-determinedformat.
 7. The computing platform of claim 1, wherein the firstattribute data includes a compensation attribute and the plurality ofassociated source elements includes at least two of: salary and bonusfor each user of the plurality of users.
 8. A method, comprising:receiving, by a computing platform having at least a first processor andmemory, first attribute data and a plurality of associated sourceelements for a plurality of users; analyzing, by the at least a firstprocessor, the first attribute data using machine learning datasets;based on the analysis of the first attribute data, determining, by theat least a first processor, whether an anomaly is present in the firstattribute data; if it is determined that an anomaly is present in thefirst attribute data: generating, by the at least a first processor, anotification including data associated with the anomaly and dataassociated with a first user associated with the anomaly; transmitting,by the at least a first processor, the notification to a computingdevice of a second user different from the first user; comparing, by theat least a first processor, the data associated with the anomaly and thedata associated with the first user to pre-stored rules; generating, bythe at least a first processor and based on the comparing, aninstruction modifying access to one or more systems from which theplurality of associated source elements is received, wherein thegenerated instruction modifying access to the one or more systems fromwhich the plurality of associated source elements is received includesan instruction preventing disbursement of funds to the first user;transmitting, by the at least a first processor, the generatedinstruction modifying access to the one or more systems from which theplurality of associated source elements is received, to the one or moresystems from which the plurality of associated source elements isreceived, for execution; and if it is determined that an anomaly is notpresent in the first attribute data, receiving and analyzing, by thefirst processor, additional attribute data.
 9. The method of claim 8,further including: receiving, by the at least a first processor,historical data related to a plurality of attributes, each attributeassociated with a user and each attribute including a plurality ofsource elements; and generating, by the at least a first processor andbased on the received historical data, a plurality of machine learningdatasets for analyzing attribute data.
 10. The method of claim 8,wherein the second user is a supervisor of the first user.
 11. Themethod of claim 8, wherein the generated notification does not includeraw data including values associated with the plurality of associatedsource elements associated with the first attribute data.
 12. The methodof claim 11, wherein the generated notification includes a selectableoption to receive the raw data.
 13. The method of claim 12, furtherincluding: receiving selection of the selectable option to receive theraw data; responsive to receiving the selection of the selectable optionto receive the raw the raw data, collect the raw data; and transmit thecollected raw data to the computing device of the second user in apre-determined format.
 14. The method of claim 8, wherein the firstattribute data includes a compensation attribute and the plurality ofassociated source elements includes at least two of: salary and bonusfor each user of the plurality of users.
 15. One or more non-transitorycomputer-readable media storing instructions that, when executed by acomputing device comprising at least one processor, memory, and acommunication interface, cause the computing device to: receive firstattribute data and a plurality of associated source elements for aplurality of users; analyze the first attribute data using machinelearning datasets; based on the analysis of the first attribute data,determine whether an anomaly is present in the first attribute data;responsive determining that an anomaly is present in the first attributedata: generate a notification including data associated with the anomalyand data associated with a first user associated with the anomaly;transmit the notification to a computing device of a second userdifferent from the first user; compare the data associated with theanomaly and the data associated with the first user to pre-stored rules;generate, based on the comparing, an instruction modifying access to oneor more systems from which the plurality of associated source elementsis received, wherein the generated instruction modifying access to theone or more systems from which the plurality of associated sourceelements is received includes an instruction preventing disbursement offunds to the first user; transmit the generated instruction modifyingaccess to the one or more systems from which the plurality of associatedsource elements is received, to the one or more systems from which theplurality of associated source elements is received, for execution; andresponsive to determining that an anomaly is not present in the firstattribute data, receive and analyze additional attribute data.
 16. Theone or more non-transitory computer-readable media of claim 15, furtherincluding instructions that, when executed, cause the computing deviceto: receive historical data related to a plurality of attributes, eachattribute associated with a user and each attribute including aplurality of source elements; and generate, based on the receivedhistorical data, a plurality of machine learning datasets for analyzingattribute data.
 17. The one or more non-transitory computer-readablemedia of claim 15, wherein the second user is a supervisor of the firstuser.
 18. The one or more non-transitory computer-readable media ofclaim 15, wherein the generated notification does not include raw dataincluding values associated with the plurality of associated sourceelements associated with the first attribute data.
 19. The one or morenon-transitory computer-readable media of claim 18, wherein thegenerated notification includes a selectable option to receive the rawdata.
 20. The one or more non-transitory computer-readable media ofclaim 19, further including instructions that, when executed, cause thecomputing device to: receive selection of the selectable option toreceive the raw data; responsive to receiving the selection of theselectable option to receive the raw data, collect the raw data; andtransmit the collected raw data to the computing device of the seconduser in a pre-determined format.
 21. The one or more non-transitorycomputer-readable media of claim 15, wherein the first attribute dataincludes a compensation attribute and the plurality of associated sourceelements includes at least two of: salary and bonus for each user of theplurality of users.